According to the [http://msdn2.microsoft.com/en-us/library/ms533046.aspx Microsoft Developer Network], HTTPOnly is an ''additional flag'' included in a Set-Cookie HTTP response header. Using the HTTPOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

+

According to the [http://msdn2.microsoft.com/en-us/library/ms533046.aspx Microsoft Developer Network], HttpOnly is an ''additional flag'' included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

*The example below shows the syntax used within the '''HTTP response header''':

*The example below shows the syntax used within the '''HTTP response header''':

Line 16:

Line 16:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]

[; expires=<date>][; domain=<domain_name>]

[; expires=<date>][; domain=<domain_name>]

−

[; path=<some_path>][; secure][; HTTPOnly]

+

[; path=<some_path>][; secure][; HttpOnly]

−

If the HTTPOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting '''(XSS)''' flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

+

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting '''(XSS)''' flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

−

If a browser does not support HTTPOnly and a website attempts to set an HTTPOnly cookie, the HTTPOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. [http://msdn2.microsoft.com/en-us/library/ms533046.aspx Mitigating], [http://msdn2.microsoft.com/en-us/library/ms533046.aspx]

+

If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. [http://msdn2.microsoft.com/en-us/library/ms533046.aspx Mitigating], [http://msdn2.microsoft.com/en-us/library/ms533046.aspx]

−

<h3 style=color:#4682B4> <u> Mitigating the Most Common XSS attack using HTTPOnly </u> </h3>

+

<h3 style=color:#4682B4> <u>Mitigating the Most Common XSS attack using HttpOnly</u> </h3>

According to [http://msdn2.microsoft.com/en-us/library/ms972826.aspx Michael Howard], Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

According to [http://msdn2.microsoft.com/en-us/library/ms972826.aspx Michael Howard], Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

−

If a browser that supports HTTPOnly detects a cookie containing the HTTPOnly flag, and client side script code attempts to read the cookie, the browser ''returns an empty string'' as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website. [http://msdn2.microsoft.com/en-us/library/ms972826.aspx Howard], [http://msdn2.microsoft.com/en-us/library/ms972826.aspx]

+

If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser ''returns an empty string'' as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website. [http://msdn2.microsoft.com/en-us/library/ms972826.aspx Howard], [http://msdn2.microsoft.com/en-us/library/ms972826.aspx]

−

<h5 style=color:#2E8B57> <u> Using Java to Set HTTPOnly </u> </h5>

+

<h5 style=color:#2E8B57> <u>Using Java to Set HttpOnly</u> </h5>

Sun Java EE supports HttpOnly flag in Cookie interface since version 6 (Servlet class version 3)[http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly%28boolean%29], also for session cookies (JSESSIONID)[http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setHttpOnly%28boolean%29]. Methods ''setHttpOnly'' and ''isHttpOnly'' can be used to set and check for HttpOnly value in cookies.

Sun Java EE supports HttpOnly flag in Cookie interface since version 6 (Servlet class version 3)[http://java.sun.com/javaee/6/docs/api/javax/servlet/http/Cookie.html#setHttpOnly%28boolean%29], also for session cookies (JSESSIONID)[http://java.sun.com/javaee/6/docs/api/javax/servlet/SessionCookieConfig.html#setHttpOnly%28boolean%29]. Methods ''setHttpOnly'' and ''isHttpOnly'' can be used to set and check for HttpOnly value in cookies.

In '''Tomcat 6''' flag ''useHttpOnly=True'' in context.xml to force this behaviour for applications[http://tomcat.apache.org/tomcat-6.0-doc/config/context.html], including Tomcat-based frameworks like JBoss[http://www.jboss.org/feeds/post/httponly_cookies_in_tomcat_jboss].

−

*By ''default'', '''.NET 2.0''' sets the HTTPOnly attribute for

+

Servlet 3.0 (Java EE 6) introduced a standard way to configure HttpOnly attribute for the session cookie, this can be done by applying the following configuration in web.xml

+

&lt;session-config&gt;

+

&lt;cookie-config&gt;

+

&lt;http-only&gt;true&lt;/http-only&gt;

+

&lt;/cookie-config>

+

&lt;session-config&gt;

+

+

<h5 style=color:#2E8B57> <u>Using .NET to Set HttpOnly</u> </h5>

+

+

*By ''default'', '''.NET 2.0''' sets the HttpOnly attribute for

*#Session ID

*#Session ID

*#Forms Authentication cookie

*#Forms Authentication cookie

−

In .NET 2.0, HTTPOnly can also be set via the HttpCookie object for all custom application cookies

+

In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application cookies

*Via '''web.config''' in the system.web/httpCookies element

*Via '''web.config''' in the system.web/httpCookies element

<httpCookies httpOnlyCookies="true" …>

<httpCookies httpOnlyCookies="true" …>

Line 60:

Line 69:

*However, in '''.NET 1.1''', you would have to do this ''manually'', e.g.,

*However, in '''.NET 1.1''', you would have to do this ''manually'', e.g.,

Using WebGoat's HttpOnly lesson, the following web browsers have been tested for HttpOnly support. If the browsers enforces HttpOnly, a client side script will be unable to read or write the session cookie. However, there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest.

+

+

Note: These results may be out of date as this page is not well maintained. A great site that is focused on keeping up with the status of browsers is at: http://www.browserscope.org/. For the most recent security status of various browsers, including many details beyond just HttpOnly, go to the browserscope site, and then click on the Security Tab on the table at the bottom of the page. The Browserscope site does not provide as much detail on HttpOnly as this page, but provides lots of other details this page does not.

−

Using WebGoat's HTTPOnly lesson, the following web browsers have been tested for HTTPOnly support. If the browsers enforces HTTPOnly, a client side script will be unable to read or write the session cookie. However, there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest. The results are listed below in '''table 1'''.

+

Our results as of Feb 2009 are listed below in '''table 1'''.

{|border="2" width="100%" align="center"

{|border="2" width="100%" align="center"

−

|+ '''Table 1:''' Browsers Supporting HTTPOnly

+

|+ '''Table 1:''' Browsers Supporting HttpOnly

|-

|-

! style="background:black; color:white" | '''Browser'''

! style="background:black; color:white" | '''Browser'''

Line 97:

Line 118:

| align="center" | Yes

| align="center" | Yes

| align="center" | Yes

| align="center" | Yes

−

| align="center" | Partially (set-cookie is protected, but not set-cookie2, see [http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx])

<nowiki>*</nowiki> An attacker could still read the session cookie in a response to an '''[http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/ XmlHttpRequest]'''.

<nowiki>*</nowiki> An attacker could still read the session cookie in a response to an '''[http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/ XmlHttpRequest]'''.

−

== Using WebGoat to Test for HTTPOnly Support ==

+

As of 2011, 99% of browsers and most web application frameworks do support httpOnly<ref>[http://blog.fortify.com/blog/2011/11/02/Misunderstandings-on-HttpOnly-Cookie Misunderstandings on HttpOnly Cookie]</ref>.

+

+

== Using WebGoat to Test for HttpOnly Support ==

−

The goal of this section is to provide a step-by-step example of testing your browser for HTTPOnly support.

+

The goal of this section is to provide a step-by-step example of testing your browser for HttpOnly support.

<h3 style=color:#4682B4> <u> WARNING</u> </h3>

<h3 style=color:#4682B4> <u> WARNING</u> </h3>

−

The OWASP WEBGOAT HTTPOnly lab is broken and does not show IE 8 Beta 2 with ms08-069 as complete in terms of HTTPOnly XMLHTTPRequest header leakage protection. This error is being tracked via [http://code.google.com/p/webgoat/issues/detail?id=18 http://code.google.com/p/webgoat/issues/detail?id=18].

+

The OWASP WEBGOAT HttpOnly lab is broken and does not show IE 8 Beta 2 with ms08-069 as complete in terms of HttpOnly XMLHTTPRequest header leakage protection. This error is being tracked via [http://code.google.com/p/webgoat/issues/detail?id=18 http://code.google.com/p/webgoat/issues/detail?id=18].

Assuming you have installed and launched WebGoat, begin by navigating to the '''‘HTTPOnly Test’ lesson''' located within the Cross-Site Scripting ('''XSS''') category. After loading the ‘HTTPOnly Test’ lesson, as shown in '''figure 1''', you are now able to begin testing web browsers supporting HTTPOnly.

+

Assuming you have installed and launched WebGoat, begin by navigating to the '''‘HttpOnly Test’ lesson''' located within the Cross-Site Scripting ('''XSS''') category. After loading the ‘HttpOnly Test’ lesson, as shown in '''figure 1''', you are now able to begin testing web browsers supporting HTTPOnly.

<h3 style=color:#4682B4> <u> Lesson Goal </u> </h3>

<h3 style=color:#4682B4> <u> Lesson Goal </u> </h3>

−

If the ''HTTPOnly flag'' is set, then your browser should not allow a client-side script to access the session cookie. Unfortunately, since the attribute is relatively new, several browsers may neglect to handle the new attribute properly.

+

If the ''HttpOnly flag'' is set, then your browser should not allow a client-side script to access the session cookie. Unfortunately, since the attribute is relatively new, several browsers may neglect to handle the new attribute properly.

−

The '''purpose''' of this lesson is to test whether your browser supports the '''HTTPOnly cookie flag'''. ''Note the value of the'' '''''unique2u cookie'''''. If your browser supports HTTPOnly, and you ''enable'' it for a cookie, a client-side script should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. However, some browsers only prevent client side read access, but do not prevent write access.

+

The '''purpose''' of this lesson is to test whether your browser supports the '''HttpOnly cookie flag'''. ''Note the value of the'' '''''unique2u cookie'''''. If your browser supports HTTPOnly, and you ''enable'' it for a cookie, a client-side script should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. However, some browsers only prevent client side read access, but do not prevent write access.

The following test was performed on two browsers, '''Internet Explorer 7''' and '''Opera 9.22''', to demonstrate the results when the HTTPOnly flag is enforced properly. As you will see, IE7 properly enforces the HTTPOnly flag, whereas Opera does not properly enforce the HTTPOnly flag.

+

The following test was performed on two browsers, '''Internet Explorer 7''' and '''Opera 9.22''', to demonstrate the results when the HttpOnly flag is enforced properly. As you will see, IE7 properly enforces the HttpOnly flag, whereas Opera does not properly enforce the HttpOnly flag.

*An alert dialog box will display on the screen notifying you that ''since HTTPOnly was not enabled'', the '''‘unique2u’ cookie''' was successfully modified on the client side as shown below in '''figure 4'''.

+

*An alert dialog box will display on the screen notifying you that ''since HttpOnly was not enabled'', the '''‘unique2u’ cookie''' was successfully modified on the client side as shown below in '''figure 4'''.

*Finally, we will test if the browser allows '''write access''' to the cookie with HTTPOnly enabled.

+

*Finally, we will test if the browser allows '''write access''' to the cookie with HttpOnly enabled.

6) Select the '''"Write Cookie"''' button.

6) Select the '''"Write Cookie"''' button.

−

*If the browser enforces the HTTPOnly flag properly, client side modification will be unsuccessful in writing to the '''‘unique2u’ cookie''' and an alert dialog box will display only containing the session ID as shown below in '''figure 8'''.

+

*If the browser enforces the HttpOnly flag properly, client side modification will be unsuccessful in writing to the '''‘unique2u’ cookie''' and an alert dialog box will display only containing the session ID as shown below in '''figure 8'''.

*However, if the browser does not enforce the write protection property of HTTPOnly flag for the '''‘unique2u’ cookie''', the cookie will be successfully modified to ''HACKED'' on the client side as shown below in '''figure 9'''.

+

*However, if the browser does not enforce the write protection property of HttpOnly flag for the '''‘unique2u’ cookie''', the cookie will be successfully modified to ''HACKED'' on the client side as shown below in '''figure 9'''.

Overview

The goal of this section is to introduce, discuss, and provide language specific mitigation techniques for HttpOnly.

Who developed HttpOnly? When?

According to a daily blog article by Jordan Wiens, “No cookie for you!,” HttpOnly cookies were first implemented in 2002 by Microsoft Internet Explorer developers for Internet Explorer 6 SP1. Wiens,
[1]

What is HttpOnly?

According to the Microsoft Developer Network, HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).

The example below shows the syntax used within the HTTP response header:

If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script (again if the browser supports this flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie (typically your session cookie) becomes vulnerable to theft of modification by malicious script. Mitigating, [2]

Mitigating the Most Common XSS attack using HttpOnly

According to Michael Howard, Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website. Howard, [3]

Using Java to Set HttpOnly

Sun Java EE supports HttpOnly flag in Cookie interface since version 6 (Servlet class version 3)[4], also for session cookies (JSESSIONID)[5]. Methods setHttpOnly and isHttpOnly can be used to set and check for HttpOnly value in cookies.

For older versions there the workaround is to rewrite JSESSIONID value using and setting it as a custom header[6].

Browsers Supporting HttpOnly

Using WebGoat's HttpOnly lesson, the following web browsers have been tested for HttpOnly support. If the browsers enforces HttpOnly, a client side script will be unable to read or write the session cookie. However, there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest.

Note: These results may be out of date as this page is not well maintained. A great site that is focused on keeping up with the status of browsers is at: http://www.browserscope.org/. For the most recent security status of various browsers, including many details beyond just HttpOnly, go to the browserscope site, and then click on the Security Tab on the table at the bottom of the page. The Browserscope site does not provide as much detail on HttpOnly as this page, but provides lots of other details this page does not.

Getting Started

Figure 1 - Accessing WebGoat's HttpOnly Test Lesson

Assuming you have installed and launched WebGoat, begin by navigating to the ‘HttpOnly Test’ lesson located within the Cross-Site Scripting (XSS) category. After loading the ‘HttpOnly Test’ lesson, as shown in figure 1, you are now able to begin testing web browsers supporting HTTPOnly.

Lesson Goal

If the HttpOnly flag is set, then your browser should not allow a client-side script to access the session cookie. Unfortunately, since the attribute is relatively new, several browsers may neglect to handle the new attribute properly.

The purpose of this lesson is to test whether your browser supports the HttpOnly cookie flag. Note the value of theunique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, a client-side script should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. However, some browsers only prevent client side read access, but do not prevent write access.

Testing Web Browsers for HttpOnly Support

The following test was performed on two browsers, Internet Explorer 7 and Opera 9.22, to demonstrate the results when the HttpOnly flag is enforced properly. As you will see, IE7 properly enforces the HttpOnly flag, whereas Opera does not properly enforce the HttpOnly flag.

Disabling HttpOnly

1) Select the option to turn HttpOnly off as shown below in figure 2.

Figure 2 - Disabling HttpOnly

2) After turning HttpOnly off, select the “Read Cookie” button.

An alert dialog box will display on the screen notifying you that since HttpOnly was not enabled, the ‘unique2u’ cookie was successfully read as shown below in figure 3.

An alert dialog box will display on the screen notifying you that since HttpOnly was not enabled, the ‘unique2u’ cookie was successfully modified on the client side as shown below in figure 4.

Figure 4 - Cookie Successfully Written with HttpOnly Off

As you have seen thus far, browsing without HttpOnly on is a potential threat. Next, we will enable HttpOnly to demonstrate how this flag protects the cookie.

Enabling HttpOnly

4) Select the radio button to enable HttpOnly as shown below in figure 5.

Figure 5 - Enabling HttpOnly

5) After enabling HttpOnly, select the "Read Cookie" button.

If the browser enforces the HttpOnly flag properly, an alert dialog box will display only the session ID rather than the contents of the ‘unique2u’ cookie as shown below in figure 6.

Figure 6 - Enforced Cookie Read Protection

However, if the browser does not enforce the HttpOnly flag properly, an alert dialog box will display both the ‘unique2u’ cookie and session ID as shown below in figure 7.

Figure 7 - Unenforced Cookie Read Protection

Finally, we will test if the browser allows write access to the cookie with HttpOnly enabled.

6) Select the "Write Cookie" button.

If the browser enforces the HttpOnly flag properly, client side modification will be unsuccessful in writing to the ‘unique2u’ cookie and an alert dialog box will display only containing the session ID as shown below in figure 8.

Figure 8 - Enforced Cookie Write Protection

However, if the browser does not enforce the write protection property of HttpOnly flag for the ‘unique2u’ cookie, the cookie will be successfully modified to HACKED on the client side as shown below in figure 9.